malwarewikiaorg-20200223-history
Ieronim
Ieronim, or Ieronim-570 is a memory resident infector of .COM programs, but not COMMAND.COM. Payload The first time a program infected with the Ieronim virus is executed, the Ieronim virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 576 bytes. Interrupts 08 and 21 will be hooked by Ieronim in memory. Once memory resident, the Ieronim virus will infect .COM programs when they are executed. Infected programs will have a file length increase of 570 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. The following text strings are visible within the viral code in all Ieronim infected programs: comcommand Mulier pulchra est janua diaboli via iniquitatis,scorpionis percussio. St. Ieronim When translated from Latin. Beautiful woman is a devil's entrance, a way of misfortunes,a scorpion's bite St. Ieronim Ieronim appears to be a Russian monastery. It shows the bottom three lines and then hangs the system. Removal Delete the infected files. Variants Leronim.512 and Leronim.560 Leronim.512 and Leronim.560 are the 512 and 560 byte variants of Leronim. They both have the same payload as the original, except that they can reinfect files. Leronim.600 Leronim.600 is a 600 byte variant of Leronim. This variant's size in memory is 608 bytes, hooking interrupts 08 and 21. It infects .COM programs other than COMMAND.COM when they are executed, adding 600 bytes to their length. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. It contains the same text as the original virus, and like the original virus, will display the message indicated above occassionally when the virus is memory resident. Leronim.1020 Leronim.1020 is a 1,020 byte variant of Leronim. This variant's size in memory is 3,072 bytes, hooking interrupts 08 and 21. It infects .COM programs other than COMMAND.COM when they are executed, adding 1,020 bytes to their length. The virus will be located at the beginning of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "60". After Ieronim.1020 has been memory resident for some time, it will display the following message in a box on the left center portion of the system display, and hang the system: Beautiful woman is a devil's entrance, a way of misfortunes,a scorpion's bite St. Ieronim Leronim.1024 Leronim.1024 is a 1,024 byte variant of Leronim. This variant's size in memory is 3,072 bytes, hooking interrupts 1C and 21. It infects .COM programs other than COMMAND.COM when they are executed, adding 1,024 bytes to their length. The virus will be located at the beginning of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "60". No text strings are visible within the viral code. Leronim.1082 Leronim.1082 is a 1,082 byte variant of Leronim. This variant's size in memory is 4,096 bytes, hooking interrupts 09 and 21. It infects .COM programs other than COMMAND.COM when they are executed, adding 1,082 bytes to their length. The virus will be located at the beginning of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "60". The following text strings are encrypted within the viral code: �OMO��TE! command Execution of some programs may result in the virus clearing the system display and displaying a red box containing the first text string above. After a few seconds, another block will be displayed below the first box, in violet, which contains text which is most likely in an eastern european language. After a few more seconds, the original program display is restored. The purpose hear appears to be to interfer with some utilities which look at the interrupt table and other areas of system memory. Leronim.1581 Leronim.1581 is a 1,581 byte variant of Leronim. This variant's size in memory is 1,584 bytes, hooking interrupts 08 and 21. It infects .COM programs other than COMMAND.COM when they are executed, adding 1,581 bytes to their length. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time. The following text strings can be found within the viral code in all Ieronim-1581 infected programs: command Le voyage de condom After Ieronim.1581 has been memory resident for awhile, it will scroll the system display and emit an occassional beep until the system is reset. No message is displayed. Leronim II.1166 Leronim II.1166 is a 1,166 byte variant of Leronim. This variant's size in memory is 4,096 bytes, hooking interrupts 08 and 21. It infects .EXE programs when they are executed, adding 1,166 to 1,677 bytes to their length. The large range of file lengths is due to the manner in which this variant infects .EXE files. It first adds pads the host program so it will have a file length which is an increment of 512 bytes, then adds 1,166 bytes of viral code. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. Category:DOS Category:Virus Category:DOS virus Category:TSR Category:Assembly